|
Managing Session with and without Cookies
Part:
1
2
(Continued from previous part...)
Managing Your Own Session State
As you can see from the previous section, IIS ASP server will not be able to manage session
state for you without the cookie support from the browser. In this case you should
consider designing your own session management system.
To design a session management system, we need to understand what are the basic requirements
and options:
1. Session: An abstract representation of a sequence of pairs of HTTP requests and
responses between a user and the ASP server. The sequence of requests and responses
needs to be linked together to be able to share information. In my number game example,
I need a session to share the same target number from request to request.
2. Session ID: A unique number used to identify each session. Session ID could be generated
sequentially as 1, 2, 3, ..., n. But it could be a security concern, because one user could
easily guess the ID of another session on the server, and fake a browser request with that
ID to steal information of the other session. So session ID should be generated randomly,
and encrypted.
3. Session ID Transfer: Once a session ID is generated, it needs to be transferred
to the browser, and the browser should send session ID back in the next request.
We already know that one way of transferring session ID is to use cookie, like
IIS ASP server. Another way is to embedded the session ID in the URL of the next request.
For example:
<a href="NextPage.asp?sessionId=nnnnnn">Next Page</a>
Another way is to embedded the session ID in a HTML form as a hidden value of the next page,
so that when the use submits the page, the session ID will be included in the request as
part of the user data. For example:
<input type=hidden name=sessionId value=nnnnnn>
4. Storing Session Information: As you know, the main purpose of introducing session is to store
information to be shared from request to request. So we need to find a place to store session
information. If you look at IIS ASP server, it offers you a session object with an open
collection that allows you to store information. But that's how IIS manages sessions for you.
We can not use them in our own session manamgement.
One way to store session information is to use the server file system. When information needs
to be shared with the next request, write it to a file and label it with the current session ID.
When handling the next request, you can read it back based the session ID.
Another way to store session information is to use the application object offered by IIS ASP
server. The application object has an open collection, you can store any information in it and
label it with the current session ID.
When handling the next request, you can read it back based the session ID.
Of course you should also consider how to delete the stored information when a session is
terminated. Otherwise, your storage size will grow and grow, while users are coming to your
server.
You should also consider a mechanism to expire inactive sessions, because users may abandon
their sessions any time in the middle of the request sequences.
To show you an example of manage your own sessions without cookie, I modified my number
game to game_without_cookie.asp:
<script language="vbscript" runat="server">
' game_without_cookie.asp
' Copyright (c) 2004 by Dr. Herong Yang
' This ASP page offers a simple game, relying on the session object
' to remember the target number.
'
sessionId = request.QueryString("sessionId")
response.write("<html><body>")
if Len(sessionId) = 0 then
sessionId = Cint(application("lastSessionId")) + 1
application("lastSessionId") = sessionId
Randomize()
number = Int(100*Rnd())
application(sessionId&".number") = number
response.write("Welcome to the Game Server!<br/>")
response.write("I have a number between 0 and 100" & _
" for you to guess.<br/>")
else
guess = request.QueryString("guess")
number = application(sessionId&".number")
if Cint(guess) = Cint(number) then
Randomize()
number = Int(100*Rnd())
application(sessionId&".number") = number
response.write("Congratulations, you win!<br/>")
response.write("I have another number between 0 and 100" & _
" for you to guess.<br/>")
elseif Cint(guess) > Cint(number) then
response.write("Your guess is too high. Please make" & _
" another quess.<br/>")
elseif Cint(guess) < Cint(number) then
response.write("Your guess is too low. Please make" & _
" another quess.<br/>")
end if
end if
response.write("<form action=game_without_cookie.asp method=get>")
response.write("<input type=hidden name=""sessionId""" & _
" value="&SessionID&">")
response.write("Your guess:")
response.write("<input type=text size=4 name=guess>")
response.write("<input type=submit name=submit value=Submit>" & _
"</br>")
response.write("</form>")
response.write("ASP Server session ID is " & session.SessionID & _
"<br/>")
response.write("My session ID is " & sessionId & "<br/>")
response.write("</body></html>")
</script>
If you run this page, the game will continue to work even after turned off the cookie support
of your browser.
Note that:
- My session IDs are generated sequentially. Not very secure.
- For each session, the ID is transferred a hidden input value of the HTML form that takes
the user's input.
- The shared information, the target number, is stored in the IIS application object
with the session ID as part of the key.
- There is no mechanism to detect the end of a session, or an inactive session. So do not
use this example as a realy application. If you do, your server will slowly run out of memory
as more and more users coming to your server.
Part:
1
2
| 